Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
litespeed_wiki:config:xmlrpc.php_bot_attack_block [2018/03/29 16:01] Jackson Zhang [Block bot attack by user agent] |
litespeed_wiki:config:xmlrpc.php_bot_attack_block [2018/10/05 18:52] (current) Lisa Clarke Proofreading |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== How to block xmlrpc.php bot attack?====== | + | ====== How to Block a Bot Attack ====== |
- | Your server may experience heavy hits from a bot named [http://law.di.unimi.it/BUbiNG.html#wc|BUbiNG]. This may have caused a massive load spike in the server. How can we deny that user agent globally? | + | Your server may experience heavy hits from bots. Here are three different examples of bot attacks and how to block them. |
- | An easy solution is to use a rewrite rule to detect the user-agent, then set environment with action [E=blockbot]. It will drop direct connection from that client IP. | + | ===== Example 1: "BUbiNG" bot ===== |
- | ===== Example 1 ===== | + | "BUbiNG" bot [[http://law.di.unimi.it/BUbiNG.html#wc|BUbiNG]] can cause a massive load spike in the server. To prevent further problems, we can deny that user agent globally. |
- | For example, add the following to the .htaccess of the test.com domain. | + | |
+ | An easy solution is to use a rewrite rule to detect the user agent, and then set environment with the action ''[E=blockbot]''. This will drop the direct connection from that client IP. | ||
+ | |||
+ | Add the following to the ''.htaccess'' of your ''example.com'' domain: | ||
RewriteEngine On | RewriteEngine On | ||
Line 12: | Line 15: | ||
To verify, you can run: | To verify, you can run: | ||
- | curl -A "BUbiNG" test.com | + | curl -A "BUbiNG" example.com |
- | If your rules need further debugging, you can enable rewrite log to check. | + | If your rules need further debugging, you can enable the rewrite log for more details. |
- | ===== Example 2 ===== | + | ===== Example 2: "xmlrpc.php" Bot ===== |
- | One a server after configuring cpanel piped logging to push entries to /usr/local/apache/logs/error_log, user can see tons of 404 File not found [/var/www/html/xmlrpc.php] coming through. 404 will not trigger the LSWS WordPress protection feature. The requests look like being processed by the default vhost. How to do them? | + | On a server, after configuring cPanel Piped Logging to push entries to ''/usr/local/apache/logs/error_log'', you can see many ''404 File not found [/var/www/html/xmlrpc.php]'' entries coming through. 404 will not trigger the LSWS WordPress protection feature, because the requests look like they're being processed by the default vhost. |
- | While you should locate the virtual host serving the requests, add vhost level rewrite rule to drop the connection using "E=blockbot". | + | Locate the virtual host serving the requests, and add a vhost-level rewrite rule to drop the connection using ''[E=blockbot]''. |
RewriteRule ^/xmlrpc.php - [E=blockbot:1] | RewriteRule ^/xmlrpc.php - [E=blockbot:1] | ||
- | Do not apply the above at server level since it will block everyone accessing xmlrpc.php globally. | + | **Note:** Do not apply the above at the server level since it will block //everyone// accessing ''xmlrpc.php'' globally. |
+ | |||
+ | |||
+ | ===== Example 3: Cookie Bots ===== | ||
+ | If the bots are cookie related, you can also try something like the following and tailor it to what you need. | ||
+ | |||
+ | RewriteCond %{HTTP_COOKIE} yourcookiename | ||
+ | RewriteRule .* - [F] | ||
+ |